CN116961967A - Data processing method, device, computer readable medium and electronic equipment - Google Patents
Data processing method, device, computer readable medium and electronic equipment Download PDFInfo
- Publication number
- CN116961967A CN116961967A CN202211400208.3A CN202211400208A CN116961967A CN 116961967 A CN116961967 A CN 116961967A CN 202211400208 A CN202211400208 A CN 202211400208A CN 116961967 A CN116961967 A CN 116961967A
- Authority
- CN
- China
- Prior art keywords
- network access
- api
- application
- comparison result
- access ticket
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 27
- 238000000034 method Methods 0.000 claims abstract description 302
- 230000008569 process Effects 0.000 claims abstract description 268
- 238000001514 detection method Methods 0.000 claims abstract description 89
- 238000012545 processing Methods 0.000 claims abstract description 24
- 230000002159 abnormal effect Effects 0.000 claims abstract description 16
- 230000002787 reinforcement Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 11
- 239000008186 active pharmaceutical agent Substances 0.000 description 220
- 238000007726 management method Methods 0.000 description 42
- 238000010586 diagram Methods 0.000 description 22
- 239000003795 chemical substances by application Substances 0.000 description 17
- 230000006870 function Effects 0.000 description 13
- 238000012795 verification Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 9
- 208000024780 Urticaria Diseases 0.000 description 8
- 238000011217 control strategy Methods 0.000 description 8
- 241000700605 Viruses Species 0.000 description 7
- 238000013475 authorization Methods 0.000 description 6
- 230000004044 response Effects 0.000 description 6
- 238000012550 audit Methods 0.000 description 5
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 230000001960 triggered effect Effects 0.000 description 5
- 230000000977 initiatory effect Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 230000002085 persistent effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000002688 persistence Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011981 development test Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application belongs to the technical field of data processing, and relates to a data processing method, a data processing device, a computer readable medium and electronic equipment, wherein the data processing method comprises the following steps of: acquiring event triggering time corresponding to a target request, wherein the target request is an application request or a use request of a network access ticket, and the network access ticket is related to zero-trust network access; determining a detection time period based on the event triggering time, and acquiring API call information corresponding to the detection time period; and judging compliance of the zero trust network access according to the API call information, the zero trust network access necessary logic process and the marking API. The application can accurately judge whether the network access is abnormal, improves the reliability of the zero-trust security management system and the capability of resisting attack, and further improves the zero-trust network security of the terminal and the office security of enterprises.
Description
Technical Field
The application belongs to the technical field of data processing, and particularly relates to a data processing method, a data processing device, a computer readable medium and electronic equipment.
Background
There are a large number of high-level persistent threats in the network environment, such as APT attacks, which typically use customized malicious software, 0Day loopholes or related escape technologies, break through traditional defense detection devices based on file features, such as IPC, firewall, AV, and the like, and attack against unknown loopholes in the system and known loopholes that cannot be repaired in time. An attacker accesses resources such as internal sites, data or function interfaces of an enterprise by using different applications in the offensive equipment, so as to detect system vulnerabilities, detect sensitive ports of the enterprise resources which are open, and the like, bypasses security detection logic by injecting malicious codes into the applications, so as to enter a link of issuing network access notes by a client and a server through an access control strategy. Furthermore, by trapping the host, the Dos attack for intranet service is initiated by applying for the network access ticket through a plurality of applications.
With the wide use of the zero-trust security management system, when the zero-trust security management system is constructed, the network environment of the terminal is complex and is easy to attack, so that the user is ensured to normally access, and an attacker needs to be prevented from accessing enterprise resources by using the host computer with the attack in time.
Disclosure of Invention
The application aims to provide a data processing method, a data processing device, a computer readable medium and electronic equipment, which can overcome the problems of low security and poor usability of a zero trust network system in the related art.
Other features and advantages of the application will be apparent from the following detailed description, or may be learned by the practice of the application.
According to an aspect of an embodiment of the present application, there is provided a data processing method, including: acquiring event triggering time corresponding to a target request, wherein the target request is an application request or a use request of a network access ticket, and the network access ticket is related to zero-trust network access; determining a detection time period based on the event triggering time, and acquiring API call information corresponding to the detection time period; judging compliance of the zero trust network access according to the API call information, the zero trust network access necessary logic process and a marking API, wherein the zero trust network access necessary logic process comprises a network access ticket necessary logic process application and a network access ticket necessary logic process application, and the marking API is an embedded API related to a control process of a zero trust security management system.
According to an aspect of an embodiment of the present application, there is provided a data processing apparatus including: the acquisition module is used for acquiring event triggering time corresponding to a target request, wherein the target request is an application request or a use request of a network access bill, and the network access bill is related to zero-trust network access; the acquisition module is further used for determining a detection time period based on the event triggering time and acquiring API call information corresponding to the detection time period; the judging module is used for judging the compliance of the zero trust network access according to the API call information, the zero trust network access necessary logic process and the marked API, wherein the access necessary logic process comprises a network access ticket necessary logic process application and a network access ticket necessary logic process application, and the marked API is an embedded API related to the control process of the zero trust security management system.
According to an aspect of the embodiments of the present application, there is provided a computer-readable medium having stored thereon a computer program which, when executed by a processor, implements a data processing method as in the above technical solutions.
According to an aspect of an embodiment of the present application, there is provided an electronic apparatus including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the data processing method as in the above technical solution via execution of the executable instructions.
According to an aspect of an embodiment of the present application, there is provided a computer program product comprising computer instructions which, when run on a computer, cause the computer to perform a data processing method as in the above technical solution.
The data processing method provided by the embodiment of the application comprises the steps of firstly, acquiring event triggering time corresponding to a target request, wherein the target request is an application request or a use request of a network access bill, and the network access bill is related to zero trust network access; then determining a detection time period based on the event triggering time, and acquiring API call information corresponding to the detection time period; and finally judging compliance of the zero trust network access according to the API call information, the zero trust network access necessary logical process and the marking API, wherein the zero trust network access necessary logical process comprises a network access ticket necessary logical process application and a network access ticket necessary logical process application, and the marking API is an embedded API related to a control process of the zero trust security management system. The application can pre-embed the mark API related to the control process of the zero trust security management system in the logic process of the application or use of the network access bill, when the application or use request related to the network access bill is received, the API call record in the detection time period is obtained, and whether the normal network access and the abnormal network access can be accurately distinguished on the one hand by judging whether the process of the caller in the API call record accords with the request or uses the necessary logic path of the network access bill and whether the call information is the same as the call information of the mark API corresponding to the necessary logic process of the request or use of the network access bill; on the other hand, the method can resist the situation that an attacker falsifies the terminal service to bypass detection logic and access control strategy, or uses an attack host to execute DOS attack on the server, so that the reliability of the zero-trust security management system and the capability of resisting the attack are improved, and the security of the zero-trust network of the terminal and the security of enterprise office are further improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application. It is evident that the drawings in the following description are only some embodiments of the present application and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
Fig. 1 schematically shows a structural diagram of a system architecture to which a data processing method in an embodiment of the present application is applied.
Fig. 2 schematically shows a flow chart of steps of a data processing method in an embodiment of the application.
FIG. 3 schematically illustrates an architecture diagram of a zero trust security management system used in an enterprise resource system in an embodiment of the application.
Figure 4 schematically illustrates a data processing flow diagram of a iOA zero-trust security management system in an embodiment of the application.
Fig. 5 schematically shows an interface diagram of a configured zero trust gateway in an embodiment of the application.
Fig. 6 schematically shows an interface diagram for policy configuration on a policy management page in an embodiment of the present application.
Fig. 7 schematically shows an interface diagram for configuring a user accessible business system in an embodiment of the application.
FIG. 8 schematically illustrates an interface diagram for configuring a user-accessible site at the add resource page in an embodiment of the application.
Fig. 9 schematically shows a block diagram of the structure of a data processing apparatus in the embodiment of the present application.
Fig. 10 schematically shows a block diagram of a computer system suitable for use in implementing embodiments of the application.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the application. One skilled in the relevant art will recognize, however, that the application may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the application.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
In the related technology of the application, an enterprise administrator formulates and issues a zero-trust access control strategy by taking a specific user or a group where the user is located as a unit according to dimensions of enterprise resources, characteristics of trusted application, equipment information and the like, screens out the traffic which is targeted to resources in the enterprise and accords with the access control strategy from network traffic hijacked by an access agent, and sends the traffic to a gateway on a resource side to execute the flow agent access after the network access ticket application. In the process, the access agent and the access gateway construct a circulating data channel for the access traffic of the enterprise resource, and the zero-trust client and the zero-trust server play a role in controlling whether the allowed traffic can pass through the data channel.
When the zero trust server sends a network access ticket, an important factor is whether an application initiating traffic is trusted or not, the zero trust client is responsible for collecting characteristic information of the application accessing resources, including hash values of application executable files, copyright information and digital signature information of the application, and after the server receives the information, the server identifies whether the application has security risk or not and whether the application has authority to access enterprise resources according to a zero trust network access policy and application detection information (whether a process belongs to a high-risk process or not according to the hash values of the executable files).
The related art has the corresponding disadvantages: an attacker accesses resources such as internal sites, data or functional interfaces of an enterprise by using different applications in the offending equipment, so as to detect system vulnerabilities, detect sensitive ports of the enterprise resources which are open, and the like, or bypass security detection logic by injecting malicious codes into the applications, so as to enter a link of issuing network access notes by a client and a server through a zero-trust access control strategy. Furthermore, by trapping the host, the network access ticket is applied through a plurality of applications, dos attack aiming at intranet service is initiated, and the security and availability of the zero-trust network system are greatly reduced.
Aiming at the related technology in the field, the embodiment of the application provides a data processing method, which effectively defends attack of an attacker, improves the reliability and the safety of a zero-trust access control system and improves the office security of enterprises by detecting and judging compliance in the application and use stages of network access notes. Before explaining the data processing method in the embodiment of the present application in detail, technical terms related to the present application are explained.
1. Login credentials: after the user successfully logs in the zero trust client, the zero trust server designates an encryption string for the user, which represents login authorization information of the user, including user information and authorization validity period. The login credentials are stored in the client in an encrypted manner.
2. Network request ticket: the zero trust server issues authorization information for a single network request to identify the authorization status of the network request.
3. Zero trust access control policy: consists of process information (trusted applications) available to the user and accessible service sites (reachable areas), and in case of a right opening, the user can access any one of the reachable areas through any one of the trusted applications. The granularity of the zero-trust access control policy is for the login user, allowing different zero-trust policies to be formulated for different login users.
4. Zero trust gateway: the system is deployed at the entrance of enterprise application programs and data resources and is responsible for verifying and forwarding each session request for accessing the enterprise resources.
5. Access agent: the terminal access agent is deployed at the terminal agent of the controlled equipment for initiating the security access, is responsible for initiating the request of the trusted identity authentication of the access main body, verifies the trusted identity, can establish encrypted access connection with the access gateway, and is also a policy execution point of access control.
6. Direct access: in the zero-trust network access architecture, a certain application initiates a network access request to a station, after hijacking traffic by a full-traffic agent, network access is initiated to the target station via the full-traffic agent, namely direct connection access is initiated, and the full-traffic agent sends a network response of the target station to the application, wherein the access mode is called direct connection access.
7. Proxy access: in the zero-trust network access architecture, a certain application initiates a network access request to a station, after hijacking traffic by a full-traffic agent, the full-traffic agent initiates traffic forwarding to an intelligent gateway, the intelligent gateway agent accesses a target service station, the intelligent gateway sends a network response of the target station to the full-traffic agent after accessing, and the full-traffic agent forwards the network response of the target station to the application, and the access mode is called agent access.
8. Accessing a subject: in the network, the party initiating the access, the person/equipment/application/accessing the intranet business resource, is a digital entity formed by single or combination of factors such as person, equipment, application and the like.
9. Accessing an object: in the network, the accessed party, i.e. the business resources of the enterprise intranet, includes applications, systems (development test environment, operation and maintenance environment, production environment, etc.), data, interfaces, functions, etc.
10. Persistent library: the data persistence refers to the general term that a data structure or an object model in a memory is converted into a relational model, XML, JSON, binary stream and the like, and a storage model is converted into a data model in the memory, and the persistence library refers to a storage medium which is stored in a disk file or a data file of a device and is converted from the relational model, XML, JSON, binary stream and the like in the memory, and can be realized by using an encryption file, an embedded database and the like.
11. Strategy: a series of rule sets for enterprise terminal management issued by an administrator at the management end. Including patch repair, zero trust network management and control, security reinforcement policies, etc. Policies may contain sensitive information such as notes, timeliness, number of validity, etc.
12. Five-tuple: communication terminology, a set of five quantities, a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol, of network access traffic.
Next, an exemplary system architecture to which the technical solution of the present application is applied will be described.
Fig. 1 schematically shows a block diagram of an exemplary system architecture to which the technical solution of the present application is applied.
As shown in fig. 1, system architecture 100 may include a terminal device 101, a zero trust server 102, a traffic server 103, a zero trust gateway 104, and a network. The terminal device 101 may be various electronic devices with display screens, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart television, an intelligent vehicle-mounted terminal, etc., a zero-trust client is installed in the terminal device 101, and after a user logs in the zero-trust client through the terminal device 101, the zero-trust client, the zero-trust server 102 and the zero-trust gateway 104 may be configured to form a zero-trust security management system for providing security assurance for enterprise resource access services. The zero trust server 102 is used for providing services such as policy issuing, network access ticket issuing and checking, sending out of unknown processes, security detection and the like for the zero trust security management system, the business server 103 is used for providing enterprise resources for users accessing the enterprise business system, and the iOA server 102 and the business server 103 can be independent physical servers, can be a server cluster or a distributed system formed by a plurality of physical servers, and can also be a cloud server for providing cloud computing services. Zero trust gateway 104 is deployed at the entrance of enterprise applications and data resources and is responsible for the authentication, authorization, and forwarding of each session request to access an enterprise resource. The network may be a communication medium of various connection types capable of providing a communication link between the terminal device 101 and the zero trust server 102, the terminal device 101 and the service server 103, and may be a wired communication link or a wireless communication link, for example.
The system architecture in the embodiments of the present application may have any number of terminal devices, zero trust servers, traffic servers, and networks, as desired for implementation. For example, the zero trust server, the traffic server, may be a server group consisting of a plurality of server devices. In addition, the technical scheme provided by the embodiment of the application can be applied to the terminal equipment 101, and particularly can be applied to the zero trust client in the terminal equipment 101.
In one embodiment of the present application, the access subject initiates a network access request for the access object through an application installed in the terminal device 101, the zero-trust client hives the network request through the proxy client, the proxy client initiates an authentication request to the zero-trust client, that is, applies the credentials of the current network request to the zero-trust client, after receiving the authentication request, the zero-trust client sends a network access ticket application request to the zero-trust server 102, the zero-trust server performs an audit on information contained in the network access ticket application request, and when the audit passes, sends information such as a network access ticket, a maximum ticket use number, a ticket valid time and the like to the zero-trust client, and then the zero-trust client sends the information to the proxy client. After the proxy client receives the information, the information can be stored in the memory in an encrypted manner, when the proxy client needs to use, the encrypted network access ticket is obtained from the memory, the network access ticket is obtained through decryption, and the original network access flow is forwarded based on the network access ticket. When the proxy client side forwards the original network access flow based on the network access ticket, firstly, the original network access request and the network access ticket are simultaneously sent to the zero trust gateway 104, the zero trust gateway 104 proxies the actual service access, then the zero trust gateway 104 sends the network access ticket to the zero trust server 102 for verification, and when the verification is passed, the zero trust gateway 104 sends the original network access request to the corresponding service server 103 so as to obtain the corresponding enterprise resource, and the enterprise resource is fed back to the proxy client side.
In one embodiment of the present application, the zero trust server 102 and the business server 103 in the present application may be cloud servers providing cloud computing services, that is, the present application relates to cloud storage and cloud computing technologies.
Cloud storage (cloud storage) is a new concept that extends and develops in the concept of cloud computing, and a distributed cloud storage system (hereinafter referred to as a storage system for short) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of different types in a network to work cooperatively through application software or application interfaces through functions such as cluster application, grid technology, and a distributed storage file system, so as to provide data storage and service access functions for the outside.
At present, the storage method of the storage system is as follows: when creating logical volumes, each logical volume is allocated a physical storage space, which may be a disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as a data Identification (ID) and the like, the file system writes each object into a physical storage space of the logical volume, and the file system records storage position information of each object, so that when the client requests to access the data, the file system can enable the client to access the data according to the storage position information of each object.
The process of allocating physical storage space for the logical volume by the storage system specifically includes: physical storage space is divided into stripes in advance according to the set of capacity measures for objects stored on a logical volume (which measures tend to have a large margin with respect to the capacity of the object actually to be stored) and redundant array of independent disks (RAID, redundant Array of Independent Disk), and a logical volume can be understood as a stripe, whereby physical storage space is allocated for the logical volume.
Cloud computing (clouding) is a computing model that distributes computing tasks across a large pool of computers, enabling various application systems to acquire computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the cloud are infinitely expandable in the sense of users, and can be acquired at any time, used as needed, expanded at any time and paid for use as needed.
As a basic capability provider of cloud computing, a cloud computing resource pool (cloud platform for short, generally referred to as IaaS (Infrastructure as a Service, infrastructure as a service) platform) is established, in which multiple types of virtual resources are deployed for external clients to select for use.
According to the logic function division, a PaaS (Platform as a Service ) layer can be deployed on an IaaS (Infrastructure as a Service ) layer, and a SaaS (Software as a Service, software as a service) layer can be deployed above the PaaS layer, or the SaaS can be directly deployed on the IaaS. PaaS is a platform on which software runs, such as a database, web container, etc. SaaS is a wide variety of business software such as web portals, sms mass senders, etc. Generally, saaS and PaaS are upper layers relative to IaaS.
The following describes in detail the data processing method, the data processing apparatus, the computer readable medium, the electronic device and other technical schemes provided by the present application in connection with the specific embodiments.
Fig. 2 schematically shows a flow diagram of the steps of a data processing method in one embodiment of the application, which is performed by a zero trust client, which may in particular be the zero trust client installed in the terminal device 101 in fig. 1. As shown in fig. 2, the data processing method in the embodiment of the present application mainly includes the following steps S210 to S230.
Step S210: acquiring event triggering time corresponding to a target request, wherein the target request is an application request or a use request of a network access ticket, and the network access ticket is related to zero-trust network access;
Step S220: determining a detection time period based on the event triggering time, and acquiring API call information corresponding to the detection time period;
step S230: judging compliance of the zero trust network access according to the API call information, the zero trust network access necessary logic process and a marking API, wherein the zero trust network access necessary logic process comprises a network access ticket necessary logic process application and a network access ticket necessary logic process application, and the marking API is an embedded API related to a control process of a zero trust security management system.
The data processing method provided by the embodiment of the application can pre-embed the mark API related to the control process of the zero trust security management system in the application or use logic process of the network access bill, acquire the API call record in the detection time period after receiving the application or use request of the network access bill, and accurately distinguish normal network access and abnormal network access on one hand by judging whether the process of a caller in the API call record accords with the request or use necessary logic path of the network access bill and whether the call information is the same as the call information of the mark API corresponding to the request or use necessary logic process of the network access bill; on the other hand, the method can resist the situation that an attacker falsifies the terminal service to bypass detection logic and access control strategy, or uses an attack host to execute DOS attack on the server, so that the reliability of the zero-trust security management system and the capability of resisting the attack are improved, and the security of the zero-trust network of the terminal and the security of enterprise office are further improved.
The following describes the steps of the data processing flow based on the network access of the zero trust security management system in the embodiment of the present application, taking the zero trust security management system iOA (Intelligent Office Automation, intelligent office automation system) as an example, where the zero trust client is iOA client and the zero trust server is iOA server. Before explaining the data processing method in the present application, first, a zero-trust security management system according to the present application and a flow of network access based on the zero-trust security management system will be explained.
In one embodiment of the application, the zero trust security management system employs a novel "4A office" approach based on trusted identities, trusted devices, trusted applications, trusted links to grant access rights, and enforces where (anysphere), when (Anytime), and what devices (anydevices) are used to securely access authorized resources for Any business (anywork) all accesses must be authenticated, authorized, and encrypted. Fig. 3 schematically illustrates an architecture diagram of a zero-trust security management system in an enterprise resource system, where as shown in fig. 3, the zero-trust security management system 300 includes a zero-trust client 301, a zero-trust gateway 302, and a zero-trust server 303, further, a proxy client 304 may be extracted from the zero-trust client 301, a unified portal is provided for an access subject to access a resource of an object through a network access request through the zero-trust proxy 304 and the zero-trust gateway 302, an authentication operation is provided for the unified portal through the zero-trust client 301 and the zero-trust server 303, and only the network request through authentication can be forwarded to the zero-trust gateway 302 by the zero-trust proxy 304, and the access of the actual service system is proxied through the zero-trust gateway 302.
FIG. 4 schematically illustrates a data processing flow diagram for network access based on the iOA zero-trust security management system, as shown in FIG. 4, (1) an access subject initiates a network request pid-URL for an access object through an application installed in a terminal device; (2) The iOA client installed in the terminal device can hijack to the network request through the proxy client, and initiate an authentication request to the iOA client, that is, apply for the network access credential of the current network request to the iOA client, where the request parameters in the authentication request include a source IP or domain name, a source port, a destination IP or domain name, a destination port, and a process identifier PID (Process ID) corresponding to the application; (3) iOA client acquires MD5 of the process, process path, latest process modification time, copyright information, signature information and the like through process PID sent by proxy client; (4) iOA client applies bill to iOA server according to MD5 of process, process path, latest modification time of process, copyright information, signature information, etc., and source IP or domain name, source port, destination IP or domain name and destination port of network request transmitted from proxy client; the iOA server examines the parameters in the bill application request, if the examination is passed, a network access bill is generated, and the network access bill, the maximum using times of the bill and the effective time of the bill are sent to a iOA client; (5) The iOA client sends the collected application process to a iOA server so as to detect viruses by sending the application process to a virus killing service of the cloud through a sending service in the iOA server; (6) iOA client sends the received network access ticket, the maximum ticket use times and the ticket effective time as response to proxy client; (7) The proxy client firstly initiates an Https request to the zero trust gateway, wherein the network access ticket transmitted by the iOA client is carried in an Authorization header field; (8) After receiving the request of the proxy client, the zero trust gateway analyzes the network access ticket in the head field and checks the ticket to the iOA server; (9) iOA server sends the check result to zero trust gateway, if check succeeds, zero trust gateway and proxy client end establish connection successfully; (10) The proxy client sends the original network request to the access gateway, and the zero trust gateway forwards the original network request to the corresponding service server to proxy the actual application network access; (11) The service server feeds back corresponding service resources to the zero trust gateway; (12) The zero trust gateway feeds back the service resources to the proxy client; (13) And the proxy client feeds back the service resources to the terminal equipment. If the verification of the network access ticket in (8) fails, the proxy client is disconnected from the zero trust gateway.
As shown in fig. 4, a plurality of service modules, such as a policy center, a ticket center, a shipment service, a security detection service, and the like, are provided in the iOA server.
The policy center is used for configuring and issuing the zero-trust network access policy, when the zero-trust network access policy is configured, the iOA server can be communicated with the iOA management end, a corresponding page is displayed in a display interface of the iOA management end, an enterprise administrator can conveniently configure the policy in the page, and after the configuration is completed, the zero-trust network access policy is issued to the iOA client, so that the iOA client manages network resource access of a user according to the zero-trust network access policy. FIGS. 5-8 schematically illustrate configuration interface diagrams of a zero trust network access policy, as shown in FIG. 5, where an enterprise administrator may perform zero trust gateway configuration on a zero trust gateway page; as shown in fig. 6, an enterprise administrator may perform policy configuration on a policy management page, such as configuring a trusted application, configuring a service system, and so on, as shown in fig. 7, an enterprise administrator may perform user accessible service system configuration on an accessible service system page, and different accessible service systems may be set for different users or groups of users; as shown in FIG. 8, an enterprise administrator may configure sites accessible to users at the add resource page.
The ticket center feeds back the network access ticket in response to the ticket application request of the iOA client, and verifies the network access ticket after the zero trust gateway receives the network access ticket.
The sending service sends the process of the application uploaded by the iOA client to the cloud virus checking and killing service for virus detection.
The security detection service specifically comprises an identity verification module, a device trusted module and an application detection module, wherein the identity verification module is used for verifying the identity of a user, the device trusted module is used for verifying the hardware information of terminal equipment and the security state of the device, and the application detection module is used for detecting whether an application process is secure, such as whether a vulnerability exists, whether a virus Trojan exists or not and the like. When the security detection center passes the detection of each dimension, the network access ticket is sent to the iOA client, meanwhile, the sending service also continuously checks and kills viruses of the process, and when the viruses exist in the process, the iOA client is notified to execute asynchronous blocking operation, and the use of the network access ticket is interrupted.
When the proxy client terminal hives application traffic, two hives schemes exist, one is full traffic hives, the other is enterprise traffic hives, wherein the full traffic hives are to fully hive network access traffic sent by the terminal equipment, the zero trust architecture based on the full traffic hives the network access traffic in the terminal equipment by introducing the proxy client terminal based on virtual network card or kernel drive drainage, the traffic characteristics are filtered by a zero trust network access control strategy, the traffic sent to an internet site is directly connected to a target site or a data access interface by the proxy client terminal, or the access of the internet site is identified at the side of kernel drainage, the direct connection is sent to a target service system or an access interface, meanwhile, the access of the network access traffic to the enterprise data acquisition service site is directly released, and after the network access ticket application is passed, the zero trust gateway executes access proxy; the enterprise flow hijacking is to hijack the network access flow corresponding to the enterprise site, service system, application, interface, etc. configured in the zero trust network access policy directly, and after the network access bill application passes, the zero trust gateway executes the access proxy.
One purpose of the application is to protect the security of enterprise office, so the key point of the embodiment of the application is the access control of enterprise resources, and in the process of the access control of enterprise resources, the access to enterprise data, interfaces or business sites is successfully achieved through a zero trust security management system, the access subject is required to successfully apply for the network access ticket, and the zero trust gateway is required to successfully complete the verification of the network access ticket to successfully achieve the access of enterprise resources. Because the network access ticket has a buffer period with a certain time after being successfully applied, and the network access ticket can be used in the using process, the real-time verification of each access session level is required for the use of the same network access ticket after the application of the network access ticket.
It should be noted that, one terminal device may access an enterprise service site through multiple applications at the same time, that is, there are multiple parallel processes at the same time, and the analysis method of each process is the same, so the following embodiments only describe a process that accesses one site for one application. Next, the data processing flow shown in fig. 2 will be described based on fig. 3 and 4.
In step S210, an event trigger time corresponding to a target request is acquired, where the target request is an application request or a use request of a network access ticket, and the network access ticket is related to zero-trust network access.
In one embodiment of the present application, when determining whether the network access of the access subject is compliant or not and whether the network access meets the expected normal access, the request related to the network access ticket needs to be received first, the request type is different, and the compliance determination method of the network access is also different. In the embodiment of the application, mainly focusing on the two scenes of application and use of the network access ticket, the target request also comprises two types, namely, the application request of the network access ticket and the use request of the network access ticket.
After receiving the application request or the use request of the network access bill, the compliance of the network access bill needs to be judged, and then the compliance of the zero trust network access is judged according to the judgment result. In the embodiment of the application, the judgment can be performed according to whether the processes of the caller and the logic process of applying for the network access ticket or using the network access ticket are consistent and whether the marked APIs pre-embedded in the logic process of applying for the network access ticket or using the network access ticket are all hit or not, and if the logic processes are the same and all marked APIs are hit, the network access of the access subject to the enterprise resource is proved to be compliant. The application of the network access ticket or the use of the network access ticket must go through a logic process and the marking API is preset, and the marking API is an embedded API corresponding to the control process of the iOA.
In one embodiment of the present application, the logic necessary in the application and use of the network access ticket includes the following:
1. when the network access ticket is applied, information such as terminal information, login user information, login ticket, application characteristics and the like is required to be collected, and the network access ticket is applied to the iOA server according to the collected information. After the network access ticket is successfully applied, the network access ticket needs to be added into the encryption cache of the memory. That is, the application of the network access ticket comprises three steps of information acquisition, ticket application and encryption storage.
The terminal information can be specifically a terminal unique identifier, terminal software and hardware information, a compliance detection result and the like, the login user information can be specifically a user name, a user id and the like of a user logging in the iOA client, the login bill is information for storing user login authentication in a memory, a user who does not finish the login authentication can inhibit access to enterprise resources, and the application characteristics can be specifically a source IP or domain name, a source port, a destination IP or domain name, a destination port, MD5, a process path, a latest process modification time, copyright information, signature information and the like of a process acquired according to a process PID corresponding to the application.
2. The ticket application fails due to network reasons or service end faults, a generation link of the local network access ticket is entered, and the iOA client adopts a generation algorithm agreed with the iOA service end to generate the local network access ticket based on the information similar to that in 1. It is worth noting that the local network access ticket is also a kind of zero-trust network access ticket, when the flow forwarding is carried out based on the local network access ticket, the proxy client sends the local network access ticket, information required by generating the local network access ticket and an original access request to the zero-trust gateway, the zero-trust gateway sends the information to a iOA server after receiving the local network access ticket and the information required by generating the local network access ticket, the iOA server receives the local network access ticket and the information required by generating the local network access ticket, firstly generates a network access ticket to be matched according to a reserved generation algorithm and the information required by generating the local network access ticket, then compares the received local network access ticket with the network access ticket to be matched, if the two tickets are identical, the ticket verification is passed, the original access request can be sent to a corresponding service site, and if the two tickets are not passed, the original access request is forbidden to be sent to the corresponding service site.
3. In the using process of the network access bill, the same application accesses the same service site, and the same network access bill can be reused in the valid period of the bill, so that the encrypted network access bill corresponding to the current flow and the application characteristics can be taken out from the encryption cache of the memory type, the encrypted network access bill is decrypted, and the access agent sends the encrypted network access bill to the zero trust gateway to execute bill verification operation, and meanwhile, the decrypted bill plaintext is destroyed.
According to the above three necessary logic processes, it can be determined that the necessary logic process for applying for the network access ticket includes two logic processes, one is a logic process 1 (the response of successfully obtaining the network access ticket from the iOA server) and is marked as a first necessary logic process, and the other is a logic process 1 to a logic process 2 (the network access ticket is failed to be obtained from the iOA server and is marked as a second necessary logic process; the necessary line logic process using the network access ticket includes three logic processes, namely a logic process 3 (the existing network access ticket is temporarily fetched from the memory encryption buffer), and is marked as a third necessary line logic process, a logic process which is immediately used after the network access ticket is obtained according to the logic process 1, and is marked as a fourth necessary line logic process, and a logic process which is immediately used after the local network access ticket is generated according to the logic process 1 and is not obtained from the encryption buffer, and is marked as a fifth necessary line logic process, wherein the network access ticket is failed to be obtained from the iOA server according to the logic process 1.
It should be noted that, in the process of collecting terminal information, login user information, login ticket and application feature information in the first necessary logic process, the marking API is adopted for executing actual collection for the 1 st time, and then the cached value is obtained from the memory-level encrypted cache or the local persistent library, so as to accelerate the processing process.
The five necessary logic processes are the logic processes which are necessary for the preset iOA self-control process to realize the application and use of the network access ticket, when the third party application triggers the network access, the network access ticket application and use are required to be carried out according to the set necessary logic process under normal conditions, and if the fact that the process of the caller does not accord with the set necessary logic process is detected, the condition that the network access triggered by the third party application is not legal is indicated.
However, since the processes of the caller may be forged, that is, the attacker may forge the same process as the preset application or the necessary logic process using the network access ticket, if the compliance of the network access is not reliable only by judging whether the processes of the caller are the same as the necessary logic process applying or using the network access ticket, further, whether the processes of the caller are implemented according to the necessary logic process set by the iOA zero-trust security management system is further judged by the pre-buried mark API, wherein the pre-buried mark API is the API corresponding to the control process of iOA, and only if the API triggered by the processes of the caller hits all pre-buried mark APIs, the processes of the caller can be proved to be compliance, and the network access initiated by the application is compliance. It should be noted that, in the embodiment of the present application, the third party application is a trigger point, the trigger detection of the pre-embedded mark API is performed by the security module in the iOA client, and the security module may also perform compliance detection on the call of the mark API according to the API call information.
In one embodiment of the application, in the application or use of the necessary logic process of the network access ticket, the marking API or the marking API list which is executed by the control process of the pre-embedded iOA is necessary, and the call record of the pre-embedded marking API is detected in real time to identify whether the network access of the access subject accords with the expected normal access, wherein the marking API can be generated by setting part of APIs in all APIs existing in the application or use of the necessary logic process of the network access ticket, for example, only marking 1, 3, 5 and other APIs in the necessary logic process, and the number of marking APIs can be adjusted according to the actual situation. For example, writing a network access ticket into a memory encryption cache requires a call to an API that generates a key for symmetric encryption: bcryptgenesymmetrickey, encryption API: bcryptEncrypt and an API for distributing ciphertext space across the heap: heapAlloc, etc., then when these APIs are pre-buried, some of the parameters may be designed as identification strings, or one parameter may be used to later detect if they are equal to the actual value.
In one embodiment of the present application, the embedded mark API or mark API list is configured by the enterprise administrator at the management end, different system platforms can configure different mark APIs or mark API lists, and the enterprise administrator configures, updates and issues the mark APIs or mark API lists, after the mark APIs or mark API lists are issued to the iOA client, the mark APIs or mark API lists are received and parsed by the security module set in the iOA client, and the detection API list is updated according to the mark APIs or mark API lists obtained by the parsing. After the access process of the application triggers the call of the mark API, the iOA client can collect the call parameters, the process of the caller, the call time and other information, and send the collected information to the buffer queue for storage, wherein the buffer queue is a buffer queue arranged at the local of the terminal equipment, the buffer queue is also provided with the maximum storage quantity and the maximum storage duration, when the mark API call information stored in the buffer queue exceeds the maximum storage quantity, the mark API call information exceeding the maximum storage duration can be removed from the buffer queue, and the newly collected mark API call information is sequentially stored in the buffer queue. After the call of the mark API is triggered, the information such as the call time, call parameters and the process of a caller of the current API can be collected and sent to a buffer queue for storage, the information such as the call time, call parameters and the process of the caller of the current API is mainly used for assisting in adjusting the mark API, for example, 2 mark APIs are pre-embedded corresponding to a certain necessary logic process, the number of the mark APIs can be increased when the mark API call information is collected each time, so that the judgment standard of compliance is improved, and if 5 mark APIs are pre-embedded corresponding to a certain necessary logic process, but only part of the mark APIs can be hit when the mark API call information is collected each time, the judgment standard of compliance can be relaxed, and the number of the mark APIs is reduced.
In one embodiment of the present application, after receiving an application request or a use request related to a network access ticket, it is further required to obtain an event trigger time corresponding to the application request or the use request, and determine a detection time period according to the event trigger time, so as to obtain, according to the detection time period, marking API call information corresponding to the request, and use the marking API call information for subsequent compliance analysis.
For different types of requests, the determining mode of the event triggering time is also different, when the request is an application request of a network access ticket, the event needing to be concerned is the event that the iOA client receives the application request, so the event triggering time is the time that the iOA client receives the application request, when the request is a use request for carrying out flow forwarding by using the network access ticket, the event needing to be concerned is the event that the iOA client sends the network access ticket to the proxy client, and the event triggering time is the time that the iOA client sends the network access ticket to the proxy client.
In step S220, a detection period is determined based on the event trigger time, and API call information corresponding to the detection period is acquired.
In one embodiment of the present application, after acquiring the event trigger time corresponding to the request, the event trigger time may be used as a reference time, a start time and an end time may be determined according to the reference time and a preset time period configured, and a detection time period may be determined according to the start time and the end time, so that the API call information in the detection time period may be acquired from the buffer queue according to the detection time period, where the acquired API call information is call information corresponding to the request, and the API call information includes call information for marking the API. In embodiments of the present application, the detection period may be determined in two different ways.
Firstly, a preset time period configured by the iOA server is firstly obtained, then the event triggering time is taken as the starting time, the time obtained by increasing the preset time period based on the event triggering time is taken as the ending time, and finally the detection time period can be obtained according to the starting time and the ending time.
Specifically, when the request is an application request for obtaining a network access ticket, the proxy client sends a request for applying a network access ticket to the iOA client, and then the time when the iOA client receives the application request can be marked as a start time, a first preset time period is obtained at the same time, an end time is determined according to the start time and the first preset time period, and a detection time period is determined according to the start time and the end time. For example, the proxy client sends a request for applying a network access ticket to the iOA client at the 5 th s, and the iOA server configures and issues a first preset time period of 60s, and then the detection time period may be determined to be [5s,65s ].
When the request is a use request for forwarding traffic by using the network access ticket, the proxy client requests to obtain the network access ticket from the iOA client, and then the iOA client may mark the time when the network access ticket is sent to the proxy client as a start time, obtain a second preset time period, determine an end time according to the start time and the second preset time period, and further determine a detection time period according to the start time and the end time. For example, the iOA client sends a network access ticket to the proxy client at 20s, the iOA server configures and issues a second preset time period of 60s, and then the detection time period may be determined to be [20s,80s ].
Secondly, firstly, acquiring a preset time period configured by the iOA server, then taking the event triggering time as a reference time, determining a starting time and an ending time according to the reference time and the preset time period, and finally obtaining a detection time period according to the starting time and the ending time.
Specifically, the ticket application time when the network access ticket is received or the sending time when the network access ticket is sent to the proxy client may be taken as a reference time, and the start time and the end time are respectively determined according to the reference time and the second preset time period, so that the detection time period is determined according to the start time and the end time. For example, when the ticket application time of receiving the network access ticket is t1 and the first preset time period is m1, the (t 1-m 1) can be used as the starting time, the (t1+m1) can be used as the ending time, and the detection time period is [ t1-m1, t1+m1]; and (3) sending the network access ticket to the proxy client at a sending time of t2 and a second preset time period of m2, wherein (t 2-m 2) can be used as a starting time, (t2+m2) is used as an ending time, and the detection time period is [ t2-m2, t2+m2], wherein t1, t2, m1 and m2 are positive numbers.
According to different requirements for acquiring the API call information, the detection time period may be determined in different manners, for example, when only the API call information after receiving the application request or the use request needs to be acquired, the detection time period may be determined in a first manner, and when the API call information before and after receiving the application request or the use request needs to be acquired, the detection time period may be determined in a second manner.
It should be noted that, considering that access of enterprise resources can be performed to multiple sites through multiple applications at the same time in one terminal device, the data concurrency is large, and delay exists in data storage, so when the iOA server configures the first preset time period and the second preset time period, the first preset time period and the second preset time period can be properly set to be longer, thus the problem of incomplete data acquisition caused by time delay can be avoided, and further, the correctness of the conclusion of compliance analysis can be further ensured.
In one embodiment of the application, the API call information comprises the process information of a caller and the name of an API, and the application request or the compliance of the use request of the network access ticket is judged according to the process information of the caller, the name of the API, the application network access ticket must go logic process or the name of the marked API corresponding to the application network access ticket must go logic process, and then the compliance of the zero trust network access is determined according to the judgment result.
Further, the API call information may further include a relative call sequence and/or call parameter of the API, so that the compliance of the application request or the use request of the network access ticket may be determined according to the relative call sequence and/or call parameter of the API and the relative call sequence and/or call parameter of the marked API corresponding to the application network access ticket must-go logic process or the relative call sequence and/or call parameter of the marked API corresponding to the application network access ticket must-go logic process, and then the compliance of the zero trust network access is determined according to the determination result. Of course, other conditions for compliance determination may be configured when the zero-trust network access control policy is configured, and the embodiments of the present application are not described herein.
In step S230, compliance of the zero trust network access is determined according to the mark API, the zero trust network access necessary logic process and mark API call information, where the zero trust network access necessary logic process includes applying for a network access ticket necessary logic process and using the network access ticket necessary logic process, and the mark API is an API related to a control process of the zero trust security management system.
In one embodiment of the present application, when the API call information includes the process information of the caller and the name of the API, the process information of the caller may be compared with the application network access ticket must go logic process or the application network access ticket must go logic process to obtain a first comparison result, and the name of the API may be compared with the name of the tag API corresponding to the application network access ticket must go logic process or the name of the tag API corresponding to the application network access ticket must go logic process to obtain a second comparison result, so as to determine the compliance of the application request or the application request of the network access ticket according to the first comparison result and the second comparison result. And if at least one of the first comparison result and the second comparison result is different, the application request or the use request of the network access ticket is not compliant, and the zero trust network access by the access main body is not compliant with the expected abnormal access.
When the API call information further includes a relative call sequence and/or call parameters of the API, based on the step of determining compliance according to the process information of the caller and the name of the API, the relative call sequence of the API may be compared with a relative call sequence of a tag API corresponding to a logic process for applying for a network access ticket or a relative call sequence of a tag API corresponding to a logic process for applying for a network access ticket, so as to obtain a third comparison result, and/or the call parameters are compared with call parameters of a tag API corresponding to a logic process for applying for a network access ticket or call parameters of a tag API corresponding to a logic process for applying for a network access ticket, so as to obtain a fourth comparison result, and further, according to the first comparison result, the second comparison result, the third comparison result and/or the fourth comparison result, determining whether the application request or the use request for the network access ticket is compliant. If the judging results of all the judging conditions are the same, the application request or the use request of the network access bill is proved to be compliant, the zero trust network access of the access main body is accordant with the expected normal access, and if the judging results of at least one of the judging conditions are different, the application request or the use request of the network access bill is proved to be non-compliant, and the zero trust network access of the access main body is not accordant with the expected abnormal access. When judging whether the calling parameters are the same as the calling parameters of the marking API corresponding to the application network access ticket must-go logic process or the calling parameters of the marking API corresponding to the application network access ticket must-go logic process, the collected calling parameters of the API can be checked according to the identification set in the API when the marking API is pre-buried or the parameters which can be used for matching whether the parameters are equal, that is, if the collected calling parameters of the API have the identification set or the parameters which can be matched when the marking API is pre-buried, the calling parameters are checked to be normal.
In one embodiment of the present application, when determining whether the process information of the caller accords with the application network access ticket must go logic process or uses the network access ticket must go logic process, it is determined whether the process information of the caller is the same as the five logic processes described in step S210, specifically, when the process information of the caller is the information related to the application request of the network access ticket, it is required to determine whether the process information of the caller is the same as the first must go logic process or the second must go logic process, and when the process information of the caller is the information related to the use request of the network access ticket, it is required to determine whether the process information of the caller is the same as the third must go logic process, the fourth must go logic process or the fifth must go logic process.
In one embodiment of the application, after determining compliance for zero-trust network access, a corresponding target operation may be performed based on the determination of compliance. Specifically:
when it is determined that the zero-trust network access is compliant, as is expected, normal access, zero-trust network access services may continue to be provided to the accessing agent.
When the zero trust network access is determined to be non-compliant and not in accordance with the expected abnormal access, the zero trust network access ticket is forbidden to be issued to the terminal equipment, and meanwhile, the related behavior is reported to the iOA server as an abnormal audit log for further treatment of the iOA client, the terminal equipment and the physical network by the iOA server, such as adding the terminal equipment to a blacklist, forbidden the user to log on iOA client to use the zero trust function, forbidden the application to apply for the network access ticket, forced rejection of the login state, and switching the physical network to the isolation network.
In one embodiment of the application, the iOA client detects whether the basic security reinforcement logic is destroyed in addition to the call record of the mark API, further judges whether an attacker attacks the zero-trust security management system according to the judgment result determined based on the mark API call information and the detection result of the basic security reinforcement logic, and further prevents the malicious attacker from tampering with the terminal security service to achieve the actions of the existence of known loopholes, detecting the sensitive end of the server or carrying out the Dos attack in the attack host in real time. The detection of the basic security reinforcement logic mainly comprises the following four points:
1. Whether a module responsible for safety detection and compliance reinforcement is missing or not under the periodic detection catalog;
2. detecting whether a key service related to safety is in an operating state, maliciously stopped or blinded;
3. whether a login state (including login ticket) exists;
4. whether the triggering process of the marking API is a compliance process initiated by iOA, and whether the marking API has copyright information and normal digital signature information.
When any of the four points is abnormal, for example, when the module responsible for security detection and compliance reinforcement is detected to be missing under the catalog, the key service related to security is in a stop state, the login bill is not present, the key service is not in a login state, the triggering process of the marking API is not a process initiated by iOA, the key service does not have copyright information and normal digital signature information, and the like, the basic security reinforcement logic of the iOA client is considered to be destroyed, the application and use of the network access bill are stopped, the zero trust network access is not executed any more, and meanwhile, the audit log is reported to the iOA server.
In one embodiment of the present application, the iOA client is responsible for detecting whether the basic security reinforcement logic is destroyed, judging whether the access of the access subject is abnormal according to the mark API call record, wherein at least one of the two is considered to be destroyed by an attacker, and corresponding disposal measures are needed.
In one embodiment of the present application, the detection of whether the basic security reinforcement logic is destroyed and whether the markup API is invoked may be implemented by the security module in the iOA client, and the security module may be in parallel relationship with the application and use of the network access ticket in detecting whether the basic security reinforcement logic is destroyed and detecting whether the pre-embedded markup API call record is compliant. In particular, the two are not performed synchronously, but the security of the zero-trust network access is ensured by mutual probing. The security module recognizes that a record of calling the pre-buried mark API is existed at the same time of periodic detection, and the rule of calling the API accords with the relative sequence and characteristics of calling the mark API in the necessary logic process, the characteristics can be, for example, some comparable calling parameters, but no record of applying for or using the network access ticket based on the zero trust security management system is detected, then the access entity falsifies the network access ticket, at this time, the access entity and the network access behavior of the access entity can be marked as abnormal; similarly, in the process of applying and using the network access ticket, the current detection result of the security module is searched, if the detection result of the security module is abnormal, the application and the use of the network access ticket are stopped, and an audit log is reported to a iOA server.
In one embodiment of the application, the iOA server may also configure the availability of the system and issue the configured policies to iOA clients, which operate accordingly according to the policies via iOA clients. Specifically, the frequency control logic of the network access ticket application may be configured, when the frequency of the network access ticket application is higher than the first frequency threshold, the application of the network access ticket is limited to reduce the ticket service pressure, and the frequency control logic of the marking API call may be configured, when the iOA client identifies that the frequency of the marking API call is higher than the second frequency threshold, the network access ticket is not issued within a certain time, the caching time of the network access ticket is automatically prolonged, and so on. The first frequency threshold and the second frequency threshold may be a maximum network access ticket application frequency and a marking API call frequency that can be borne by the zero trust security management system, which is not limited in particular by the embodiment of the present application.
The data processing method in the embodiment of the application can be applied to any enterprise office scene, such as the home office of a worker, the business trip in the outside, and the like, and the enterprise site is required to be accessed through the zero trust security management system to acquire corresponding business resources, and the like. Next, taking an example that a worker accesses a certain enterprise site through a browser based on the zero trust security management system, a data processing method in the embodiment of the present application is specifically described.
The staff first needs to log in the iOA client installed on the terminal equipment, log in iOA the client by inputting information such as user name, user ID, password, etc., then open the browser and input the corresponding site address to obtain the resource corresponding to the site. After inputting the site address, the proxy client of iOA client executing proxy access hives the network access request to the terminal device, and initiates an application request of the network access ticket to iOA client according to the quintuple information corresponding to the network access request. The iOA client obtains the process MD5, the process path, the process latest modification, the copyright information and the signature information according to the application process PID in the quintuple information, generates a network access ticket application request together with other tetrad information except the PID in the quintuple information, sends the network access ticket application request to the iOA server to receive the network access ticket fed back by the iOA server, and encrypts and stores the received network access ticket in an encrypted cache. Alternatively, when the iOA server fails or the network causes no network access ticket to be generated, the method is converted to the generation of the local network access ticket, and the network access ticket is generated according to the generation algorithm negotiated with the iOA server.
In order to judge whether the application of the network access ticket is abnormal or not, after receiving the application request of the network access ticket, the time for receiving the application request is taken as the reference time, and meanwhile, the starting time and the ending time are determined according to the time for receiving the application request and the configured first time period; then determining a detection time period according to the starting time and the ending time, and acquiring API call information in the detection time period from an API buffer queue, wherein the API call information comprises an API name, an API relative call sequence, API call parameters and a caller process, and the API buffer queue stores all API call information triggered by the application-initiated process, wherein the API call information comprises API call information; and then comparing the process of the caller with a preset application network access request must-go logic process, comparing the name of the API with the name of a marked API corresponding to the application network access request must-go logic process, comparing the relative calling sequence of the API with the relative calling sequence of the marked API corresponding to the application network access request must-go logic process, and comparing the calling parameters of the API with the calling parameters of the marked API corresponding to the application network access request must-go logic process, wherein when the process of the caller accords with the first must-go logic process or the second must-go logic process and the name, the relative calling sequence and the calling parameters of the API are identical with the name, the relative calling sequence and the calling parameters of the marked API corresponding to the application network access request must-go logic process, the application request of the network access ticket can be determined to be qualified.
The proxy client may then obtain the network access ticket from the iOA client or cache and use the network access ticket for traffic forwarding. Specifically, the network access ticket and the original access request can be sent to a zero-trust gateway, the zero-trust gateway firstly verifies the network access ticket, the network access ticket is sent to a iOA server for verification, and after the verification is passed, the zero-trust gateway sends the original access request to a service server of a corresponding site, receives service resources sent by the service server, feeds back the service resources to the proxy client, and feeds back the service resources to the terminal equipment through the proxy client for use.
In order to determine whether the use of the network access ticket is abnormal, the time when the iOA client transmits the network access ticket to the proxy client may be taken as a reference time, and the start time and the end time may be determined according to the time when the network access ticket is transmitted and the configured second time period; then determining a detection time period according to the starting time and the ending time, and acquiring API call information in the detection time period from an API buffer queue, wherein the API call information comprises an API name, an API relative call sequence, API call parameters and a caller process, and the API buffer queue stores all API call information triggered by the application-initiated process; and then comparing the process of the caller with a preset application network access request must-go logic process, comparing the name of the API with the name of a marked API corresponding to the application network access request must-go logic process, comparing the relative calling sequence of the API with the relative calling sequence of the marked API corresponding to the application network access request must-go logic process, and comparing the calling parameters of the API with the calling parameters of the marked API corresponding to the application network access request must-go logic process, wherein when the process of the caller accords with a third must-go logic process, a fourth must-go logic process or a fifth must-go logic process, and the name, the relative calling sequence and the calling parameters of the API are identical with the name, the relative calling sequence and the calling parameters of the marked API corresponding to the application network access request must-go logic process, the use of the network access ticket can be determined to be compliant.
When the application and the use of the network access ticket are judged to be compliant, the network access of the access subject is indicated to be the expected normal access, and the corresponding service can be continuously provided for the access subject.
In one embodiment of the application, when the application or use of the network access ticket is determined to be non-compliant, a relevant log may be collected and sent to the iOA server to cause the iOA server to perform a corresponding treatment on the access principal. In the embodiment of the application, the compliance of the application and the use of the network access bill can be judged through the iOA server, when the compliance is judged, the access subject is continuously provided with service through the zero-trust security management system, and when the compliance is judged, the corresponding treatment measures are directly executed on the access subject.
The data processing method comprises the steps of firstly, acquiring event triggering time corresponding to a target request, wherein the target request is an application request or a use request of a network access bill, and the network access bill is related to zero trust network access; then determining a detection time period based on the event triggering time, and acquiring API call information corresponding to the detection time period; and finally judging compliance of the zero trust network access according to the API call information, the zero trust network access necessary logic process and the marking API. The application can pre-embed the mark API related to the control process of the zero trust security management system in the logic process of the application or use of the network access bill, when the application or use request of the network access bill is received, the API call record in the detection time period is obtained, and whether the normal network access and the abnormal network access can be accurately distinguished on the one hand by judging whether the process of the caller in the API call record accords with the request or uses the necessary logic path of the network access bill and whether the call information is the same as the call information of the mark API corresponding to the necessary logic process of the request or use of the network access bill; on the other hand, the method can resist the situation that an attacker falsifies the terminal service to bypass detection logic and access control strategy, or uses an attack host to execute DOS attack on the server, so that the reliability of the zero-trust security management system and the capability of resisting the attack are improved, and the security of the zero-trust network of the terminal and the security of enterprise office are further improved.
It should be noted that although the steps of the methods of the present application are depicted in the accompanying drawings in a particular order, this does not require or imply that the steps must be performed in that particular order, or that all illustrated steps be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
The following describes embodiments of the apparatus of the present application that may be used to perform the data processing methods of the above-described embodiments of the present application. Fig. 9 schematically shows a block diagram of a data processing apparatus according to an embodiment of the present application. As shown in fig. 9, the data processing apparatus 900 includes: the acquiring module 910 and the judging module 920 specifically:
an obtaining module 910, configured to obtain an event trigger time corresponding to a target request, where the target request is an application request or a use request of a network access ticket, and the network access ticket is related to zero-trust network access;
the obtaining module 910 is further configured to determine a detection time period based on the event trigger time, and obtain API call information corresponding to the detection time period;
The judging module 920 is configured to judge compliance of the zero trust network access according to the marked API call information, the zero trust network access necessary logic process and the marked API, where the access necessary logic process includes applying for a network access ticket necessary logic process and using the network access ticket necessary logic process, and the marked API is an API related to a control process of the zero trust security management system.
In some embodiments of the present application, when the request is the application request, the event trigger time is a time of receiving the application request; based on the above technical solution, the obtaining module 910 is configured to: acquiring a first preset time period; taking the time for receiving the application request as a reference time, and determining an ending time according to the reference time and the first preset time period; and determining the detection time period according to the starting time and the ending time.
In some embodiments of the application, the API call information includes a name of the called API and a process of the caller; based on the above technical solution, the determining module 920 is configured to: comparing the process of the caller with a logic process for applying a network access ticket to obtain a first comparison result; comparing the name of the API with the name of the marked API corresponding to the logic process of the application network access ticket necessary to obtain a second comparison result; when the first comparison result and the second comparison result are the same, judging that the zero trust network access is compliant; and when the first comparison result and/or the second comparison result are different, determining that the zero trust network access is not compliant.
In some embodiments of the application, the API call information includes a name of the called API, a process of the caller, a relative call order of the API, and call parameters; based on the above technical solution, the determining module 920 is configured to: comparing the process of the caller with the application network access ticket must-go logic process to obtain a first comparison result; comparing the name of the API with the name of the marked API corresponding to the logic process of the application network access ticket necessary to obtain a second comparison result; comparing the relative calling sequence of the API with the relative calling sequence of the marked API corresponding to the application network access ticket must-go logic process to obtain a third comparison result; comparing the calling parameters of the API with the calling parameters of the marked API corresponding to the application network access ticket must-go logic process to obtain a fourth comparison result; when the first comparison result, the second comparison result, the third comparison result and the fourth comparison result are the same, determining that the zero trust network access is compliant; and when at least one of the first comparison result, the second comparison result, the third comparison result and the fourth comparison result is different, determining that the zero trust network access is not compliant.
In some embodiments of the present application, based on the above technical solutions, the application network access ticket must-line logic process includes a first must-line logic process and a second must-line logic process; the first must-go logic process is to successfully acquire a network access ticket from a zero trust server according to the acquired information and encrypt and store the network access ticket; and the second must-run logic process is to locally generate the network access ticket according to the acquired information after the network access ticket fails to be acquired from the zero trust server.
In some embodiments of the application, when the request is the use request, the event trigger time is a time to send the network access ticket to a proxy client; based on the above technical solution, the obtaining module 910 is configured to: acquiring a second preset time period; taking the time of sending the network access ticket to the proxy client as a reference time, and determining an ending time according to the reference time and the second preset time period; and determining the detection time period according to the starting time and the ending time.
In some embodiments of the present application, based on the above technical solutions, the obtaining module 920 is further configured to: and acquiring API call information corresponding to the detection time period from a marked API call buffer queue, wherein the API call information comprises call information of the marked API.
In some embodiments of the application, the API call information includes a name of the called API and a process of the caller; based on the above technical solution, the determining module 920 is configured to: comparing the process of the caller with the logic process of the using network access ticket necessary to obtain a first comparison result; comparing the name of the API with the name of the marked API corresponding to the logic process of the access ticket to obtain a second comparison result; when the first comparison result and the second comparison result are the same, judging that the zero trust network access is compliant; and when the first comparison result and/or the second comparison result are different, determining that the zero trust network access is not compliant.
In some embodiments of the application, the API call information includes a name of the called API, a process of the caller, a relative call order of the API, and call parameters; based on the above technical solution, the determining module 920 is configured to: comparing the process of the caller with the logic process of the using network access ticket necessary to obtain a first comparison result; comparing the name of the API with the name of the marked API corresponding to the logic process of the access ticket to obtain a second comparison result; comparing the relative calling sequence of the API with the relative calling sequence of the marked API corresponding to the logic process of the using network access ticket to obtain a third comparison result; comparing the calling parameters of the API with the calling parameters of the marked API corresponding to the logic process of the using network access ticket to obtain a fourth comparison result; when the first comparison result, the second comparison result, the third comparison result and the fourth comparison result are the same, determining that the zero trust network access is compliant; and when at least one of the first comparison result, the second comparison result, the third comparison result and the fourth comparison result is different, determining that the zero trust network access is not compliant.
In one embodiment of the present application, the logic process for using the network access ticket comprises: a third obligatory logic process, a fourth obligatory logic process, and a fifth obligatory logic process; the third necessary logic process is to acquire an encrypted network access ticket corresponding to the current application information, decrypt the encrypted network access ticket to acquire the network access ticket, and forward traffic by using the network access ticket; the fourth must-run logic process is to directly use the network access ticket to forward the flow after successfully acquiring the network access ticket from the zero trust server according to the acquired information; and the fifth must-line logic process is to locally generate a network access ticket according to the acquired information when the network access ticket fails to be acquired from the zero trust server, and directly use the network access ticket to forward the flow.
In some embodiments of the present application, based on the above technical solutions, the data processing apparatus 900 further includes: and the detection module is used for detecting whether the basic security reinforcement logic is damaged or not, and executing target operation according to the judgment result and the detection result of the compliance.
In some embodiments of the present application, based on the above technical solutions, the detection module is configured to: detecting whether a module responsible for safety detection and compliance reinforcement is missing or not under a directory; detecting whether a key service is in an operating state, maliciously stopped or blinded; detecting whether a login state and a login bill exist or not; and detecting whether the call of the mark API is compliant, whether the mark API has copyright information and whether the mark API has a normal digital signature.
In some embodiments of the present application, based on the above technical solutions, the detection module is configured to: and when at least one of the compliance judging result and the detecting result is abnormal, prohibiting the zero trust network access by using the zero trust security control system.
In some embodiments of the present application, based on the above technical solutions, the data processing apparatus 900 is further configured to: acquiring the application frequency of the network access bill; and rejecting the application request of the network access ticket when the application frequency is greater than a first frequency threshold.
In some embodiments of the present application, based on the above technical solutions, the data processing apparatus 900 is further configured to: acquiring the calling frequency of the marking API; and when the calling frequency of the marking API is greater than a second frequency threshold, stopping issuing the network access ticket, and prolonging the caching time of the network access ticket in the cache.
Specific details of the data processing apparatus provided in each embodiment of the present application have been described in the corresponding method embodiments, and are not described herein.
Fig. 10 schematically shows a block diagram of a computer system for implementing an electronic device, which may be a terminal device 101, a zero trust server 102 and a traffic server 103 as shown in fig. 1, according to an embodiment of the application.
It should be noted that, the computer system 1000 of the electronic device shown in fig. 10 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present application.
As shown in fig. 10, the computer system 1000 includes a central processing unit 1001 (Central Processing Unit, CPU) which can execute various appropriate actions and processes according to a program stored in a Read-Only Memory 1002 (ROM) or a program loaded from a storage section 1008 into a random access Memory 1003 (Random Access Memory, RAM). In the random access memory 1003, various programs and data necessary for the system operation are also stored. The cpu 1001, the rom 1002, and the ram 1003 are connected to each other via a bus 1004. An Input/Output interface 1005 (i.e., an I/O interface) is also connected to bus 1004.
In some embodiments, the following components are connected to the input/output interface 1005: an input section 1006 including a keyboard, a mouse, and the like; an output portion 1007 including a Cathode Ray Tube (CRT), a liquid crystal display (Liquid Crystal Display, LCD), and a speaker; a storage portion 1008 including a hard disk or the like; and a communication section 1009 including a network interface card such as a local area network card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The drive 1010 is also connected to the input/output interface 1005 as needed. A removable medium 1011, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is installed as needed in the drive 1010, so that a computer program read out therefrom is installed as needed in the storage section 1008.
In particular, the processes described in the various method flowcharts may be implemented as computer software programs according to embodiments of the application. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 1009, and/or installed from the removable medium 1011. The computer programs, when executed by the central processor 1001, perform the various functions defined in the system of the present application.
It should be noted that, the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable medium, or any combination of the two. The computer readable medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may be any computer readable medium that is not a computer readable medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a mobile hard disk, etc.) or on a network, comprising several instructions for causing an electronic device to perform the method according to the embodiments of the present application.
Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains.
It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (19)
1. A method of data processing, comprising:
acquiring event triggering time corresponding to a target request, wherein the target request is an application request or a use request of a network access ticket, and the network access ticket is related to zero-trust network access;
determining a detection time period based on the event triggering time, and acquiring API call information corresponding to the detection time period;
judging compliance of the zero trust network access according to the API call information, the zero trust network access necessary logic process and a marking API, wherein the zero trust network access necessary logic process comprises a network access ticket necessary logic process application and a network access ticket necessary logic process application, and the marking API is an embedded API related to a control process of a zero trust security management system.
2. The method of claim 1, wherein when the target request is the application request, the event trigger time is a time at which the application request was received;
the determining a detection period based on the event trigger time includes:
acquiring a first preset time period;
taking the time for receiving the application request as a reference time, and determining a starting time and an ending time according to the reference time and the first preset time period;
And determining the detection time period according to the starting time and the ending time.
3. The method of claim 1, wherein the API call information includes a name of the called API and a process of the caller;
the judging the compliance of the zero trust network access according to the API call information, the zero trust network access necessary logic process and the marking API comprises the following steps:
comparing the process of the caller with the application network access ticket must-go logic process to obtain a first comparison result;
comparing the name of the API with the name of the marked API corresponding to the logic process of the application network access ticket necessary to obtain a second comparison result;
when the first comparison result and the second comparison result are the same, judging that the zero trust network access is compliant;
and when the first comparison result and/or the second comparison result are different, determining that the zero trust network access is not compliant.
4. The method of claim 1, wherein the API call information includes a name of the called API, a procedure of the caller, a relative call order of the API, and a call parameter;
The judging the compliance of the zero trust network access according to the API call information, the zero trust network access necessary logic process and the marking API comprises the following steps:
comparing the process of the caller with the application network access ticket must-go logic process to obtain a first comparison result;
comparing the name of the API with the name of the marked API corresponding to the logic process of the application network access ticket necessary to obtain a second comparison result;
comparing the relative calling sequence of the API with the relative calling sequence of the marked API corresponding to the application network access ticket must-go logic process to obtain a third comparison result;
comparing the calling parameters of the API with the calling parameters of the marked API corresponding to the application network access ticket must-go logic process to obtain a fourth comparison result;
when the first comparison result, the second comparison result, the third comparison result and the fourth comparison result are the same, determining that the zero trust network access is compliant;
and when at least one of the first comparison result, the second comparison result, the third comparison result and the fourth comparison result is different, determining that the zero trust network access is not compliant.
5. The method of claim 3 or 4, wherein the application network access ticket must-line logical process comprises a first must-line logical process and a second must-line logical process;
the first must-go logic process is to successfully acquire a network access ticket from a zero trust server according to the acquired information and encrypt and store the network access ticket;
and the second must-run logic process is to locally generate the network access ticket according to the acquired information after the network access ticket fails to be acquired from the zero trust server.
6. The method of claim 1, wherein when the request is the use request, the event trigger time is a time to send the network access ticket to a proxy client;
the determining a detection period based on the event trigger time includes:
acquiring a second preset time period;
taking the time of sending the network access ticket to the proxy client as a reference time, and determining a starting time and an ending time according to the reference time and the second preset time period;
and determining the detection time period according to the starting time and the ending time.
7. The method according to claim 2 or 6, wherein the acquiring API call information corresponding to the detection period of time includes:
and acquiring API call information corresponding to the detection time period from an API call buffer queue, wherein the API call information comprises call information of the marked API.
8. The method of claim 6, wherein the API call information includes a name of the called API and a process of the caller;
the judging the compliance of the zero trust network access according to the API call information, the zero trust network access necessary logic process and the marking API comprises the following steps:
comparing the process of the caller with the logic process of the using network access ticket necessary to obtain a first comparison result;
comparing the name of the API with the name of the marked API corresponding to the logic process of the access ticket to obtain a second comparison result;
when the first comparison result and the second comparison result are the same, judging that the zero trust network access is compliant;
and when the first comparison result and/or the second comparison result are different, determining that the zero trust network access is not compliant.
9. The method of claim 6, wherein the API call information includes a name of the called API, a procedure of the caller, a relative call order of the API, and call parameters;
the determining the compliance of the zero trust network access according to the marking API call information, the zero trust network access necessary logic process and the marking API comprises the following steps:
comparing the process of the caller with the logic process of the using network access ticket necessary to obtain a first comparison result;
comparing the name of the API with the name of the marked API corresponding to the logic process of the access ticket to obtain a second comparison result;
comparing the relative calling sequence of the API with the relative calling sequence of the marked API corresponding to the logic process of the using network access ticket to obtain a third comparison result;
comparing the calling parameters of the API with the calling parameters of the marked API corresponding to the logic process of the using network access ticket to obtain a fourth comparison result;
when the first comparison result, the second comparison result, the third comparison result and the fourth comparison result are the same, determining that the zero trust network access is compliant;
And when at least one of the first comparison result, the second comparison result, the third comparison result and the fourth comparison result is different, determining that the zero trust network access is not compliant.
10. The method of claim 8 or 9, wherein the using a network access ticket must go logic process comprises: a third obligatory logic process, a fourth obligatory logic process, and a fifth obligatory logic process;
the third necessary logic process is to acquire an encrypted network access ticket corresponding to the current application, decrypt the encrypted network access ticket to acquire a network access ticket, and forward traffic by using the network access ticket;
the fourth must-run logic process is to directly use the network access ticket to forward the flow after successfully acquiring the network access ticket from the zero trust server according to the acquired information;
and the fifth must-line logic process is to locally generate a network access ticket according to the acquired information when the network access ticket fails to be acquired from the zero trust server, and directly use the network access ticket to forward the flow.
11. The method according to claim 1, wherein the method further comprises:
And detecting whether the basic security reinforcement logic is damaged or not, and executing target operation according to the judgment result and the detection result of the compliance.
12. The method of claim 11, wherein detecting whether the basic security reinforcement logic is corrupted comprises:
detecting whether a module responsible for safety detection and compliance reinforcement is missing or not under a directory;
detecting whether a key service is in an operating state, maliciously stopped or blinded;
detecting whether a login state and a login bill exist or not; and
and detecting whether the call of the mark API is compliant, whether the mark API has copyright information and whether the mark API has normal digital signature.
13. The method of claim 12, wherein the performing the target operation based on the compliance determination and the detection result comprises:
and when at least one of the compliance judging result and the detecting result is abnormal, prohibiting the zero trust network access by using the zero trust security control system.
14. The method according to claim 1, wherein the method further comprises:
acquiring the application frequency of the network access bill;
and rejecting the application request of the network access ticket when the application frequency is greater than a first frequency threshold.
15. The method according to claim 1, wherein the method further comprises:
acquiring the calling frequency of the marking API;
and when the calling frequency of the marking API is greater than a second frequency threshold, stopping issuing the network access ticket, and prolonging the caching time of the network access ticket in the cache.
16. A data processing apparatus, comprising:
the acquisition module is used for acquiring event triggering time corresponding to a target request, wherein the target request is an application request or a use request of a network access bill, and the network access bill is related to zero-trust network access;
the acquisition module is further used for determining a detection time period based on the event triggering time and acquiring API call information corresponding to the detection time period;
the judging module is used for judging the compliance of the zero trust network access according to the API call information, the zero trust network access necessary logic process and the marking API, wherein the zero trust network access necessary logic process comprises a network access ticket necessary logic process application and a network access ticket necessary logic process application, and the marking API is an embedded API related to the control process of the zero trust security management system.
17. A computer readable medium having stored thereon a computer program which, when executed by a processor, implements the data processing method of any of claims 1 to 15.
18. An electronic device, comprising:
a processor; and
a memory for storing instructions;
wherein execution of the instructions stored by the memory by the processor is for implementing the data processing method of any one of claims 1 to 15.
19. A computer program product comprising computer instructions which, when run on a computer, cause the computer to perform the data processing method of any of claims 1 to 15.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211400208.3A CN116961967A (en) | 2022-11-09 | 2022-11-09 | Data processing method, device, computer readable medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211400208.3A CN116961967A (en) | 2022-11-09 | 2022-11-09 | Data processing method, device, computer readable medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116961967A true CN116961967A (en) | 2023-10-27 |
Family
ID=88443255
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211400208.3A Pending CN116961967A (en) | 2022-11-09 | 2022-11-09 | Data processing method, device, computer readable medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116961967A (en) |
-
2022
- 2022-11-09 CN CN202211400208.3A patent/CN116961967A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10057282B2 (en) | Detecting and reacting to malicious activity in decrypted application data | |
| US9866566B2 (en) | Systems and methods for detecting and reacting to malicious activity in computer networks | |
| US8806629B1 (en) | Automatic generation of policy-driven anti-malware signatures and mitigation of DoS (denial-of-service) attacks | |
| US9881304B2 (en) | Risk-based control of application interface transactions | |
| US20080037791A1 (en) | Method and apparatus for evaluating actions performed on a client device | |
| US11792008B2 (en) | Actively monitoring encrypted traffic by inspecting logs | |
| US9311485B2 (en) | Device reputation management | |
| CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
| Kumar et al. | Exploring security issues and solutions in cloud computing services–a survey | |
| Gupta et al. | Taxonomy of cloud security | |
| CN111314381A (en) | Safety isolation gateway | |
| CN116319024A (en) | Access control method and device of zero trust system and zero trust system | |
| US11778048B2 (en) | Automatically executing responsive actions upon detecting an incomplete account lineage chain | |
| CN115701019A (en) | Access request processing method and device of zero trust network and electronic equipment | |
| KR101775517B1 (en) | Client for checking security of bigdata system, apparatus and method for checking security of bigdata system | |
| CN116961967A (en) | Data processing method, device, computer readable medium and electronic equipment | |
| US10412097B1 (en) | Method and system for providing distributed authentication | |
| CN112769731A (en) | Process control method, device, server and storage medium | |
| CN116155565B (en) | Data access control method and device | |
| US20230351028A1 (en) | Secure element enforcing a security policy for device peripherals | |
| Bhandari et al. | A Preliminary Study On Emerging Cloud Computing Security Challenges | |
| Foltz et al. | Secure Endpoint Device Agent Architecture. | |
| Oberoi et al. | Benefits and Risks of Cloud Computing | |
| CN116567083A (en) | Service data processing method, device, equipment and medium | |
| CN116996238A (en) | Processing method and related device for network abnormal access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |